As DPDPA Kicks In, Are Startups Ready For Privacy Compliance Burden?

The rollout of India’s Digital Personal Data Protection Act (DPDPA) and its 2025 rules marks the country’s first comprehensive data‑privacy regime, mirroring the EU’s GDPR. By mandating transparent data processing, consent management, and a phased compliance schedule, the law compels firms of all sizes to overhaul their data‑governance stacks. Analysts estimate the immediate compliance‑as‑a‑service market at roughly $1.2 billion, with a longer‑term horizon of $3‑4 billion as enterprises seek integrated, end‑to‑end solutions. This regulatory push is catalyzing a wave of niche startups and established players alike, all racing to capture a slice of the burgeoning market.

IDfy exemplifies how early bets on privacy infrastructure can pay off. After five years of building its Privy platform—80% data‑governance, 20% consent—the startup secured a government competition win and now reports FY25 revenue of ₹188.5 cr (≈$22.7 m), edging past the ₹200 cr (≈$24 m) milestone for FY26. Privy currently contributes about 10% of IDfy’s top line, but founders expect a balanced revenue mix across onboarding, risk, and privacy within two years. The company’s strategy to open‑source core components aims to lower entry barriers for SMEs, positioning IDfy as both a service provider and an ecosystem enabler.

For smaller firms, the DPDPA presents a disproportionate burden: limited budgets, scarce legal expertise, and the need for rapid implementation. Vendors are responding with tiered pricing—Cross Identity’s Vishwaas AI offers zero licence fees until mid‑2026, then a modest $15k support fee—while others, like IDfy, plan to release basic compliance code publicly. Core priorities for SMEs include data discovery, classification, and lightweight DSAR automation, coupled with fundamental security controls such as encryption and access logging. By leveraging SaaS‑based, modular solutions, these businesses can achieve day‑one compliance without diverting critical resources from growth initiatives, ensuring the broader Indian tech ecosystem remains resilient under the new privacy regime.